The Data (Use and Access) Bill, commonly referred to as the DUA Bill, is set to introduce updates to UK data protection laws in 2025. Introduced in October 2024, the Bill is currently advancing through Parliament and aims to refine, rather than completely overhaul, existing legislation.

The Bill proposes several key measures to modernise data protection, focusing on enhancing the use, access, and security of personal data across various sectors of the UK economy.  

Below are some of the notable changes included in the Bill: ‍

Higher Penalties for PECR Violations

The Bill proposes aligning penalties for breaches of the Privacy and Electronic Communications Regulations (PECR) with those under UK GDPR. This would raise fines to a maximum of £17.5 million or 4% of global turnover, whichever is greater. Businesses would need to ensure compliance with PECR to avoid these heightened penalties.

Automated Decision-Making (ADM)

A major shift involves a revised framework for automated decision-making. The Bill narrows restrictions to focus on significant decisions involving special category data, where no meaningful human involvement is present.

International Data Transfers

The Bill introduces a more flexible, risk-based approach to international data transfers. It emphasises that data protection standards in destination countries must not be materially lower than those in the UK, offering greater adaptability compared to the EU's stricter "essential equivalence" standard.

Legitimate Interests

The Bill sets out different types of processing that would automatically qualify as legitimate interest, for example processing for direct marketing purposes, intra-group transfers and for network security. The Bill also introduces a new ground for lawful processing which is necessary for purposes such as national security, public safety or emergency response.  

Other data protection changes expected in 2025

The European Commission is also planning updates to data protection laws, with the adoption of new Standard Contractual Clauses (SCCs) expected in 2025. These new SCCs will address scenarios involving data importers located outside the European Economic Area (EEA) but directly subject to the General Data Protection Regulation (GDPR). This includes companies offering goods and services to, or monitoring the behaviour of, individuals within the EU.

The revised SCCs aim to simplify compliance while maintaining robust data protection standards. While these changes apply specifically to EU data protection frameworks, the UK has its own mechanisms, including the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs. As of now, there have been no announcements about changes to these UK specific frameworks for 2025. Businesses should monitor both EU and UK developments to ensure compliance with cross-border data transfer requirements.

Summary

The DUA Bill signals important changes to the UK’s data protection landscape in 2025. Its overall goal is to balance the needs of businesses with the rights of individuals, fostering transparency, trust, and innovation in the digital age.

These reforms reflect the UK's commitment to maintaining high standards of data protection while enabling organisations to navigate an increasingly complex data environment. By creating a more secure and adaptable framework, the DUA Bill empowers both businesses and consumers to manage data with confidence and accountability.

In respect of the changes to EU SCCs, UK businesses should keep developments in this area under review to ensure cross-border data transfer requirements are met.  

We will be keeping an eye on developments as the DUA Bill progresses through Parliament in the coming months.  

‍